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hammer out something that had happened earlier. And these guys, this, these two guys kept coming
up talking to him at like four in the morning, wanting to walk up and talk him and touch him
and hug him. And he looked and said, will you go away? He's like, yeah, but, but no go away.
We're trying to have a talk here. How do you approach him at another time when we were sitting
around just chit-chatting or whatnot, or, or just walking through the hallway and bump into him and
say, Oh, Hey, aren't you so-and-so? Hey, I caught your speech. Uh, or I saw you on TV,
read one of your books, read a review, you know, that was pretty good. And, you know, Hey,
Hey, I got a question. If you got time, you put it at, you know, their convenience, don't demand
attention from people because they may or may not be busy. And if they're busy and you're demanding
their time at that exact moment, it's rude. And a lot of times you have to just, you have to flip
places. Do you want someone coming up to you and doing to you what you're doing to them? And the
answer is no, don't do it. I mean, it's, it's pretty straightforward. I'm like, you know,
there's another case point, which one of the guys in the back was laughing. They asked me,
are you going to go up and tell them all? Don't be an ass. Yes. As a matter of fact,
I'm going to tell people don't be an ass. Um, and then the last bullet point kind of goes along
a little bit with philosophy, with maturity and temper tantrums. And, you know, someone on IRC
says something you don't like, and you decide you're going to, you're going to pack at the guy.
Okay. That's cute. That's real mature. Nice. You're a, you know, so you're five hops away
from the guy. So basically you got three systems. You're going to, you're going to, you're going to
systems in between that you're also packeting and flooding these guys and tying up their time
and it's on their dime. And something I, you know, I say that, you know, think about what you're
going to do, weigh your actions. If you feel that, you know, that whatever you're about to
do DOS packeting, or, or just being a general nuisance on the net to something, if you feel
this attack is justified and you know, the, the, it's the consequences don't outweigh your actions.
Well, I'm not going to tell you not to.
Do it straight up. If you feel that you are right, go ahead and do it, but there's going to be
consequences. There will be backlash and make sure, ask yourself, am I just, you know, throwing
a temper tantrum? Am I getting my nose out of joint? Cause some guy called me a loser on IRC.
You know, if, if what something that somebody says on IRC, is that important to you?
You need counseling because it's just IRC.
You know, I, I have seen more wars. I have seen more fights. I have seen more long-term battling going on over IRC and I don't get it.
I have, I've been doing various forms of online chat for at least 15 years on various networks and servers and hooking up with people.
I, I love the medium. It is a great way to get to know people. You talk to people on a different level. It's cerebral. You're talking brain to brain mouth.
Doesn't enter into it. And the.
The dialogue you'll have with someone on IRC is far different than you're going to have face-to-face with a person.
It's nice.
But on that same token, take it for what it is.
It is a conversation.
It is interaction.
It is not important, you know.
So let's butt in on that subject.
So let's move on.
Wrong button again.
There we go.
Learning.
Learning.
There's a number one point there.
Coding versus compiling.
This is a big issue when people are first getting into this.
You can use the old Star Wars parable, the good, you know, the force and the dark and the light side.
You know, compiling is the dark side.
Coding is the light.
There's a happy medium.
If you need a tool and you need it now, there is no sense in, like I say, reinventing the wheel.
Grab your tool.
Use your tool.
If you need a port scanner now, download it.
There's no point in rewriting things that have been written a thousand times and available on any search engine you can find for a file, obviously.
By that same token, though, if you have been running port scanners, I'll use port scanner kind of as foo and barf pretty frequently.
If you have never written a port scanner and you're using them all the time, you would do yourself a world of good.
Try writing one.
Write it in Perl.
Write it in BASIC.
Write it in C.
Write it in whatever.
Pick a language or pick a weird one.
You know, pick something obnoxious off the walls.
Try writing a port scanner in Python.
You know, why not?
Cool.
And learn how it works.
Understand what it's doing.
Put your own features.
Put your own tweaks.
Make it your own personal tool.
That is exactly what you want because the goal is not to write the port scanner.
The goal is to learn the machine you're on, to understand the machine.
Knowing how the code talks to itself, understanding what is going on inside the machine at the time, this is getting back to the essence of hacking, understanding how it works, knowing what something is doing, you know, that's the idea.
When you're simply just compiling other people's code, you aren't learning a damn thing.
All you are is going to 7-Eleven and buying a bag of chips, eating the chips, and throwing the bag down on the ground somewhere for someone else to trip on.
That's what coding and script kidding is.
You typically are not doing anything other than, you know, passing, you know, hey, I take this, I throw this, and it's there.
I didn't go get the water.
I didn't fill the water, you know.
You're wasting space.
You're a chunk of biomass that is, you know, polluting everyone else's time, and you need to just go away.
You're not benefiting, and you're not hacking.
You're a nuisance.
And typically, these are the people.
You're fine doing the packet floods, going to do the port scanning, getting in IRC wars, watching EFNet crash in a piling, burning code storm
because someone has decided they're going to packet the servers until they split and try to gain ops on pound feed the goats or something obnoxious.
Don't laugh.
That's the script kidding channel.
So this goes along, like I said, know your code, know your tools, know yourself.
If you know how to write the code for the tools.
you're using, you're ahead of the game, and you're on your way to actually doing some true learning for these things.
And that's pretty important for getting respect from other people.
If you can write your own tools and have written your own tools and can show off that you've done this, then people understand, hey, this guy's actually doing something.
He understands what he's doing.
And you're going to find it's a lot more interesting, and it's a lot more fun.
Because how long do you need to do this?
How long do you want to keep downloading and running other people's programs?
How long do you want to keep running other people's scripts?
Or even more fun, you download a script and you have no idea what the script does.
They told you what it does.
You don't really know because you can't read the code.
There was a neat little code I used to pass around back years back.
It's kind of fun.
It's called ircop.irc.
And this was back when all the new people were coming in on the IRC around 93, 94.
And they are all.
Man, how do I get ops?
I want to get ops.
I need ops on this channel.
I'm going to take it over.
Oh.
And tell them, hey, I've got a script for you.
Want to run it?
Here.
DCC it over to them.
And they start running it.
And as soon as they run it, I'd know it because showing up in my message window says,
you've got the loser of the day.
And it's listing me in my little mini menu.
Meanwhile, on their side, it's saying, you know, script loaded.
What channel do you want to take over?
So they type in their channel.
It says, losers attempting to do this.
And it starts playing with echo on, echo off.
Turning their terminal off on, moving them to various places,
and then outputting things just for them to see.
And as far as they're concerned, they're taking over that channel.
And it says, you know, hacking ops, hacking ops.
Meanwhile, I'm sending codes like, you know, let's check their directory.
Hey, look at those files.
Which ones do you want to wipe out?
Shall we kill root?
And the funnest ones was you send to it, you CTCP to it Folgers Crystals.
And at that point, it wipes out everything in their home directory,
their entire mail directory.
And anything off the tree.
And replaces it with a file named Folgers underscore Crystals.
And then it announces to the entire channel, you know, they don't know it yet,
but we've secretly replaced their home directory with Folgers Crystals.
Let's see if they notice.
But then again, I didn't write it.
It was passed to me.
So.
However, I did go through and make a few.
My own changes.
And of course, like I said before, before I ran it, I read it.
And I went through and made sure that the code I was about to run wasn't about to do to me what I'm about to do to somebody else.
It's stupid enough to run this code.
And that's along those lines.
You know, next thing you know, of course, OK, more anecdote to go with this one.
The other side story was one day I get a little piece of email from one of the admins saying,
hi, because I'm on an EDU at this time.
I went, hi, we'd like you to come in for a little meeting because distributing Trojans is not good.
So I apologized and swore I wouldn't do it again.
Very groveled.
And, you know, they said, OK.
So I told them, I said, they didn't have to run the code.
And they go, that doesn't matter.
Shame on you, shatter.
Bad shatter.
So.
OK, so let's get into the real world.
Now we've done a lot of we've done the some of the fictitious stuff here in the abstracts.
OK, here's the big wake up call for a lot of people.
Life is not television.
Life is not the movies.
This is not the movie Hackers.
OK, we don't run around with little heads up monocles.
We don't rollerblade.
And, you know, I've never been on a pair of rollerblades.
OK.
They look like fun.
You know, it doesn't have they don't run CPM.
What's the point?
So, yeah, this is the real world.
I have ran into people and listen to them sit there and worshiping the movie Hackers going, dude, it's the greatest movie, man.
This is this is what it's all about, man.
Attacking that mainframe and taking over the Gibson.
And it's like, oh, shut the hell up.
Good God.
You know, I'm sorry.
Penn Jillette is a sysad.
Admin is funny.
If anyone's ever met Penn, you understand why that's comical.
And, you know, the whole the Gibson, you know, yeah, it's named after William Gibson.
Yes, we've all read Neuromancer.
Yes, it's a fine novel.
But God, yeah, I can't go on in that movie enough because it was just absolutely hilarious watching it.
A television show I liked.
It was short lived was a level nine that used to be on.
It was on UPN.
That actually wasn't too bad of a show.
I actually.
I ended up talking with the producer last Defcon.
He was here and walked up to me, which was kind of humorous because I'm working with the back doors gooning.
And also this guy walks up, goes, Hi, can I take your picture?
And I'm like, why?
He's like, well, I'm doing a TV show and he gives me his card and he was legit and so chitchat and he was looking.
He was actually here at last Defcon getting an idea of what one of these conventions is like for use in material on the show and seeing what the people and they were trying to do it as accurate as possible.
And after.
Having watched the show, it wasn't bad, wasn't offensive.
Um, yeah, you know, when you're actually watching hacking, if you haven't, if you're not totally familiar with hacking, looks like go over to the CTF and watch after about two minutes, you're gonna be bored off your ass because it's really boring.
You see some guy sitting in a screen like this and you know, he's tap, tap, tap, tap, tap, tap, tap, tap, tap, and they're the command line just typing little things.
It's it's not flashy.
You don't see spinning graphics and polygons and flying.
Through visually getting this data read out and all this shit and and typing to dodge and oh shit, he's coming.
I gotta hit arrow key because here he comes and and oh oh god, I dodged it.
Yeah, no, no, it's tap, tap, tap, tap, return, tap, tap, tap, tap, tap, tap, tap, shit, that's that's hacking.
It's, you know, when you're getting in the computer level, but you know, so, um,
we'll point to good jobs perform background checks and they will check your background if if it's any kind of a of a very any kind of a high paying position, anything happening in the building, um, job, I was going to go on with a guy just this last spring, they were doing the background check on me and it was pretty funny because he called me up and said, shatter it, uh, failed.
I'm like, okay, so I ran him off.
I'm like, okay, so I ran him off.
I was like, okay, so I ran him off.
I was like, okay, so I ran him off.
He says, okay, let me go back and talk to him again, and then they had their conversation and he goes, yeah, it was the public nuisance.
I'm like, damn, I usually wear that one like a badge, big badge.
I'm like, damn, I usually wear that one like a badge, big badge.
Yes, I have been convicted.
Infraction public nuisance.
The people of the state of California found me to be a nuisance.
Yeah.
I pissed them off.
all off! Every last one of them! I did them all! They found me a nuisance. God bless the
legal system. It bit me on the ass. And they straight up said that considering the records
of everyone else that worked for this guy as a consultant and contractor, that the three
million insurance was just not enough anymore. And before I brought that, I was like the
final straw because apparently everyone else works with the guys just even worse. They
have many as nuisances as well. But they will check this shit. So you think something
you're doing when you're 18 and 19, that will hold on and those carry over. And once you
turn 18, it doesn't matter what the charge is. Anything in fraction and up stays on your
record your whole life. And like I just, my case in point, being a public nuisance was
too much for these guys to have.
And uh, they said not until he had a larger insurance policy then it wasn't a big deal.
So uh, keep that in mind. That things you're doing now might affect you when you want a
job in 10, 15 years.
And bullet point three. Contrary to popular belief, convicted felons do not get government
jobs searching for hackers. Getting busted is the quickest way to never get a job in
the security field the rest of your life.
Uh, it's been a misconception.
I've heard ever since the first time I got into computers and stuff that, you know, the
whole, the urban legend of, uh, yeah, you know, the government secretly seeks out and
gets the most hardcore, the guys that they bust, they go to them and cut them deals
to get them to help them secure their systems and that's how you do it. Bullshit. If they
caught you, they don't want you.
You know, if...
I just caught that, I mean, if you catch, okay, you catch a kid's, you know, port scanning
and packet flooding your, your, your DSL, do you go, wow, that was great, you want a
job?
Fuck no.
You tell the kid, mm-mm, anyway.
So yeah, um, it don't happen.
And uh, so let's get in there, point four, white hat, black hat.
Hackers don't wear hats, okay?
Uh, every one of them I know do not wear hats.
If they are...
Uh...
That ain't my phone.
Uh, if they're gonna wear a hat, usually it's something along these lines.
I like this one.
I'm, I'm personally my propeller.
It's got a skull and it's black.
That's a hacker beanie.
Uh, yeah, no, and yes, it's black, uh, because I'm wearing a black shirt, black shorts,
black boots, so anything else would look silly.
Um, yeah, the whole hat thing is such a misconception.
Anytime I hear someone like, uh, quoted as, uh, the white hat hacker.
So-and-so was, oh, I want to slap him.
That's just as bad.
Or when they make reference to, well, these evil black hat hackers were coming in.
No.
Uh, uh, the difference between being a law abiding white hat hacker and a, and a evil
nasty plague antichrist to, to the world black hat hacker, uh, as I say here, distance
between those two is about 1.2 seconds.
And that's the length of time it takes you from being a nice, happy guy to, to getting
that annoying spam for the 50th time.
And you decide to, uh, check the IPs and you see it's the same IP every time.
And you decide, huh, let's go check his shares.
Oh, look at that window system.
Why he's got his shares wide open.
I'm going to nail him.
And guess what?
As soon as you touch those shares, you just intruded on that computer.
If you went across state lines, it's now a federal matter.
If you went into another country, it's now an international incident.
So that's about the long length of time it takes.
And quite honestly, with the amount of people I know on both sides of the fence, the people
in this computer security field and the people who I know through various channels that are
on the other side of the fence, they, uh, there's a lot of overlap.
I've never met maybe only one or two really, truly nasty, evil hacker types that are out
to pretty much destroy everything.
And they have a pretty short life expectancy.
They pretty much get nailed pretty quick because they're pretty stupid.
Likewise.
I have never met a pristine, perfect guy who is in the computer security field who has
never snickered.
And done a little, uh, watch this blew his connection off anyway, you know, it happens.
And anytime I hear the self-righteousness, the holier than thou or the I'm better than
you references to white hat, black hat, gray hat, and all that, I give them a big, because
it's bullshit.
Uh, you know, your, your, your action, you know, it's, it's all in your head.
It's goes back to some of the ethics.
The, uh,
etiquette and your philosophy, it's, it's what you consider to be right and wrong.
And that's the differences.
And that's the only place that matters.
It is a putting a good, bad label on it is like saying a person is good or bad.
There's all shades of it in between.
And the absolute worst people in the world can suddenly be a nice guy.
And the nicest guys in the world can just snap and do something pretty horrible.
And that's computers is no different.
It's not any kind of perfect, you know, everything written in stone.
And I think I've pretty much already kind of cover the concept of responsibility for
your actions.
Uh, and that's a big, that's a big stickler with me.
It's one of the things that, and manners are two things that weigh pretty heavy with
me and a lot of the people I know, um, you know, do what you're going to do, but be responsible
about it.
Don't whine.
Don't say someone, it's someone else's fault.
Someone made you do it or any other, you know, asinine excuses that you can come up with.
If you did it.
If you say you did it, you know, have the balls to do it or don't do it, own up to
it.
Okay.
So go from here, uh, there's a lot of places to go learning, um, best places to go.
I find as a bookstore, um, pick up a book, pick up a subject you've never done before.
Uh, if you haven't worked with Pearl, grab a, grab an intro to Pearl book and, uh, you
know, start learning Pearl.
Start slapping some code out and, and play with it.
Um, pick something new.
Uh, that's, that's going to be your number one source for learning is going to be a book.
There, uh, there is no, there is absolutely no substitution for a good, hard rock solid
based knowledge in anything.
Um, you can't, you can't learn the wrong thing.
There is no wrong thing.
Anything you learn is going to open the door to something else and it's going to be a foundation
to learn something more.
And keep moving and going.
Um, my girlfriend was, uh, learning, learning some H, some HTML and some other stuff and
somebody told her, well, why are you bothering me?
That's a waste of time.
It's not a waste of time.
Not at all.
Uh, she was picking up some, some visual basic and someone was like, well, why are
you doing that?
She, just go learn C.
It's like, why?
How, how, what's the, what, what is the point of going and learning C if you don't have
the foundation things?
And, and the foundation course that was teaching the basic concepts of computing was using
visual basic.
As their learning tool.
It was a tool.
You could use any language.
They chose that for whatever reason, because that's what they did.
The knowledge you learn is not going to go to waste.
So anytime I hear people make references to, you know, learning something that's wrong
or wasted knowledge, um, it's, and typically they're trying to just keep you, they don't
want you to learn it typically because they probably don't know it and they haven't bothered
to do it.
And if you go and learn something they don't know.
You're going to be better than them and they're jealous.
So learn what you can learn anything.
But like I said, my first recommendation is always read a book and there are thousands
on the market to pick up.
But anyway, so finding like-minded people, this is, uh, you know, a lot of times you
can do this in the bookstore.
When you're browsing books, you find someone looking at the same subject, um, classes at
college, mail list, listservs, um, there's, there's, I don't remember what the last count
of use in it is.
Uh, it's, uh, I'm wondering if it's reached the 500, 500,000 market of groups of, of every
possible subject you can imagine for people that are doing anything and everything, hacking
anything.
I mean, look at the, look at the, some of the obnoxious work that's gone into some of
the Lego Mindstorm hacking.
I mean, Furby hacking.
I mean, that was, that was a big one there for a while.
But.
There's a lot of things.
I mean, if you see something new that comes out and it looks interesting, check it out,
work on it, see what you can do.
And there's a good chance you're going to find other people that are probably doing
the same thing at some point.
Um, so yeah, um, obtaining a project, this is another way you can also find people and
meet them.
Uh, like I said, like the Furby thing, pick a project, pick something big and it doesn't
necessarily matter what it is because the goal is not to, to get from.
Yeah.
Point A to point B. It's to, to go to point A via, uh, the town next, next town over and
learn all those maps before you come back to B.
Picking things up along the way, finding new things, anything you just haven't ever done
before.
There's, there's so many things out there besides learning code, learning TCP IP, learning
C, learning Pearl, this, that's, those are, that's a speck of dust on the wind of things
you can learn and, and, and hack on.
Um, any new, there's, I, it's such a, it's so many, it's hard to even pick one to, to
focus on, but what, it doesn't matter what you're working on, the concept is that you
are learning and that's typically what the hacking is all about.
If you're coming in, if you want to get, if you're hacking and you're here at DEF CON
because you want to learn how to break into a computer, you wasted your money, go home
because you've missed, you missed the boat.
Boat took off and ain't coming back.
You, you, you're a lost cause.
You're not going to be in jail anymore.
You're going to be in prison with one of these laws at that point.
Um, so avoiding jail, this is always a good one.
Um, avoiding jail, don't break the law.
It sounds pretty simple, but you'd be surprised how often people break the law because they
don't know the law and ignorance of the law does not exclude you from the law.
Before you're going to do anything, check it out, look into it, know what you're doing.
Um, make sure you're not doing something you shouldn't do.
If you want to practice breaking into computers, your best bet is to build your own local network, break into your own systems.
And then however you broke into that system, go to that box, repair it, and try to block that.
Then go back to your other box and re-attack it.
And work on your own system because what you do on your own computers is your business.
And you can do anything you please, launch any nasty anything, viruses, email bombs, all of it.
But as long as you are not sending it outside of your own local network, you're fine.
And in fact, it's encouraged.
That's a great way to learn.
That is an excellent way to get into some of the hard hacking because there's many steps to get up to that.
Because before you have your own local area network, well, you need a network.
So you're going to have to get in to learn the networking.
Well, before you have your network, you're going to need machines.
And the best way to get machines, build them.
And.
You don't necessarily need money because you don't need a high-end machine necessarily to do some of these things.
This stuff worked great on 486s.
This stuff worked great on Pentiums.
You don't need a 1.3 gig Athlon running 512 megs of RAM to play around with DOS attacks.
It's.
You don't need it.
So you can find probably free machines, parted out machines, or anything else laying around from people you know.
And slap them together and build them.
I mean, the other day, me and my brother got bored, and we got to talking about it.
And we wanted to play a bunch of some of the old crunch classic DOS games that just absolutely don't run in Windows.
Or they were even using various other things.
They just won't run.
So we started digging around through the drawers, and we scrounged up one of our old motherboards.
We pulled out a chip.
The only thing we actually ended up buying for the system in the end was we bought a 32 meg stick of RAM for $9.
And everything else was parts we had laying around.
We shoved it all in the machine.
I found an old ancient crusty hard drive that was, I think, it's an 80 meg drive.
We shoved that in there because it's still spun.
And, you know, now we've got a machine.
And so we're going to run DOS on it.
We could easily have put Linux, BSD, or anything else.
No, it's not going to be the fastest thing in the world, but who cares?
It was nothing.
And along the way, if you've never done something like that, you should.
And.
Figure out what's going on.
And your best thing that can possibly happen is it doesn't work.
Because if it doesn't work, now you've got to find out why.
And the why, it goes back to what we're trying to do here.
Is the why it's going on.
The how.
Not the fact that it's doing it.
Not the fact I pushed this button.
You know, push that button, that happened over there.
Ah, neat, I'm done.
Nah.
Why did it do it when you pushed the button?
So, hangover remedies.
How many people got hangovers today?
You people weren't having enough fun last night.
Hangover remedy.
Best hangover remedy?
Don't drink!
That doesn't happen at DEFCON.
Not when we feature the TCPIP drinking game.
Yes, alcohol and DEFCON go hand in hand.
I don't advocate drinking much.
I encourage drinking a lot because it hurts.
Anyway, so, ah, fun stuff at DEFCON.
Lectures are a great, great source of killing time during the day until the parties start in the evening.
And, ah, I always hear things on news sources and other places, people saying that, you know, that, ah, you know, DEFCON's a farce.
I think, I think Microsoft, I heard yesterday, once again, this, once again, denounced DEFCON as being fake, phony, whatever.
I look around the room.
Let's don't look too fake to me, unless you're all holograms.
We haven't got those figured out yet, so you must be real, which means we're here, which means whatever here we're doing, it's all right.
Fuck Microsoft.
Huh?
Why do I what?
Because that's actually pretty much what was on the laptop.
You know, it, it, it's here.
It's running.
You know, whatever.
Actually, typically what I was doing.
I was doing a lot of dialing into, ah, my old job with this from the road, and in their infinite wisdom, decided to go from a standard login system to a, ah, to using a Windows networking remote login system.
And they completely bypassed the intermediary server, which used a complete separate login and password.
And that was to make it easier, which I laughed myself silly because, well, they were simply using everyone's, ah, local in-office machine login.
And that was to make it easier, which I laughed myself silly because, well, they were simply using everyone's, ah, local in-office machine login.
username, password.
And that's if you even bothered putting one on.
You know, it's just your desktop machine.
Yeah, what do you need a password for?
It's a workbox.
So, next thing you know is, of course, someone may want to change their password, or they're going to issue a new password.
And, of course, they, they, you know, email it out in their infinite wisdom, got rid of the wonderful send mail box that we had running that was running, ah, was running on a Sun system.
And, ah, threw that out because the company, they only use Exchange Server because, damn it.
And it's better.
We had a virus a week.
I don't know.
Actually, we had a virus about every two to three days.
They were getting hit with yet another VBS script virus.
I hate using that term for the VBS because all they are is a glorified script.
But needless to say, of course, it would go through, hack, hack in, take over everyone's machine, email bomb everyone, and, you know, could box up and take the email and send it to whoever.
So, if everyone's passing their passwords around in email like they did, there we go, compromised.
Of course, that wasn't the only compromise.
There they, ah, the Unix systems, I think, were set up by people who were MCSE trained, which means they don't understand the concept of groups.
And so, the only way it got the entire system work on the full cluster was everyone used the same login.
Why not?
And even better, when they would write various Perl scripts to handle various other, ah, jobs and such.
Wow.
We'll just, in the code, oh, tell them it.
And there's the user and the password.
Ah, good, the script runs.
And they ran for the next three years.
And so, any time they wanted to change the password for everyone to use, they had to go through and change every script, some of the programs, some of the compiled code, because they put the user login and password right into the code.
And, of course, all the source was sitting there.
Yeah.
And the sad part is this is pretty typical of a lot of companies.
And, you know, you see in the news.
This company got hacked, or these guys got DOSed, or these guys got defaced.
And you wonder, wow, how can this be?
This is why.
The typical home user or the typical DEF CON attendees home system is probably locked up 10,000 times tighter than the average corporate system.
And I kid you not.
Guys who are hacking and whatnot back and forth on each other, their systems are far tighter than most anything you're going to find in the commercial industry.
And it's pretty sad.
But, you know, on the flip side.
You know, when they get attacked, I can't be too sad.
It's like, well, you were stupid.
You know, some of these companies, you make a recommendation about it, and they think you're about to hack them.
It's like, no, I want my company's system to be tight if I'm going to be on it.
And they think, oh, you're talking to security.
You're probing the ports.
You're going to do something to us, aren't you?
Not me.
Somebody will, though.
So, anyway.
Somebody put their hand up?
No.
Okay.
So, I think we're wrapping it down here.
Yeah, I've got a few more minutes.
So, now do we have any questions?
Yeah.
Are you talking home-based or corporate?
Home-based.
Most of them boil down to the same idea that what they're doing is.
Yeah.
There's, get down to two types of home systems.
You either have one that, by default, blocks certain port, by default, blocks every port.
I like those ones.
Those are nice.
First, or you have the flip side where they automatically, they have every port open, you decide what to block.
For most people in the home, automatically blocking everything and then asking you if you want it open is a little better.
Typically, what I'll throw on systems, I got it on this one here.
This is an old one that is, was.
This was bought out by, Semantic bought these guys and it turned into the internet, what are they called?
Internet personal security or internet security product.
No, it's the Semantic one.
Norton personal security, I think, or something like that.
I don't know.
Personal firewall?
Okay.
This was the predecessor to it called AtGuard and it was absorbed by them and stripped down.
But the nicest thing about this.
This was the one that actually blocked ads and you never, I don't see ads on web pages, but it had a firewall here and you can see it automatically, by default, this was the default one here, blocking back Orifice and NetBus.
I'm sure had they stuck around or stayed as they were, they would have probably run Sub7 and some of the other ones and blocked them.
But this one here, by default, blocks all ports and then asks you what you want open.
And it was, it's pretty friendly.
It was decent.
Easiest thing is experiment with them.
See what you like and what works for you.
What's in the metal book?
Louder.
I got bad ears.
What's in the metal book that you recommend reading?
Read anything you've never read.
That's, huh?
I would listen to that.
Oh.
Yeah, you want to know what books I recommend.
I straight up say anything you haven't read.
If you've heard about it and you don't know anything about it, grab a book on it and read it.
Start there.
What would you do for like, I don't see, where would you go for information?
Yeah.
What would you do for any of the mail phones and stuff that you use for Usenet and stuff like that?
Um, Usenet, man, you just, it's almost as bad as a search engine.
You just punch in something after you download the entire list and find something for a word you're looking for.
Word of mouth, too, with some people, you kind of just poke around and see what there are.
A lot of times, some of the real, some of the more intensive ones, the name will have absolutely nothing to do with what the discussion is.
What about IRC?
IRC?
IRC is IRC, man.
That's anarchy.
It's, it's, it's, it's, it's just goes.
Um, yeah, it also depends on which network you're on.
I kind of backed out of most of it.
Yeah.
I got the first three words.
I, I, I'm still mad.
I, I, I got that here.
The legality between an attack and a consensual law is that you cross the back road.
You don't have to do it on a Sunday.
You cross the back road.
Oh, okay.
Uh, in other words, you're, you and a friend.
Right.
No problem.
Um, more than likely, what you have, what, what you have to do, what he's asking is, uh, the legalities of, say, you're attacking your friend who's somewhere else.
Uh, it depends on the type of attack, and you have to make sure that you're not violating use agreements.
Your ISP, your ISP that you're providing or whatever, usually is the first one that's going to say anything about it.
And if they allow it, then everyone in between, it doesn't matter.
It depends on the type of attack you're doing.
Um, if you're straight up DOSing, you're going to be DOSing everybody in between your two boxes.
Uh, and even packet floods that can be going on, too.
It depends on the type of attack.
If it's one, if it's a, if it's a high bandwidth connection just hammering everyone along the lines.
If you're using a Smurf-based distributed attack.
Where many are sending to the one, um, that will still end up hurting the ISP.
It depends on, on how far up the chain it is.
So, but if you're straight up trying to just do a penetration attack, you're probably going to be okay.
As long as it's consensual.
Uh, but check with the ISP and see what they, what they straight up say, do and don't do.
But anything that's going to, going to affect any system along the chain, that's typically illegal.
That's the easiest way to think about it.
And along the same way.
Ethically as well.
Make sure that, you know, you're not bugging anybody else in your exploration.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah.
, I, I, I'm pretty willing to bet unlikely because the game is only going to have access to certain resources and unless it's got the ability to set inbound, outbound, uh, I'd say no, as well as along the lines of, it depends on the game.
I mean, if the game has a potential to exploit, then yes, you could, but, um,
uh, I, I, I'm pretty willing to bet unlikely because the game is only going to have access to certain resources and unless it's got the ability,
the game itself has the ability to do things like modify your, your master boot record or whatnot, you, you know, it should be all right.
Oh.
The second question would be, uh, you're talking about hackers that don't wear black hats and white hats, so like what along those lines do you think there's a problem with a hacker and a cracker?
Okay.
I'm old.
To me, a cracker is a guy who's, who's busting open software.
That's how it's always been to me.
The, this other term of calling, separating the difference between a hacker and a cracker as being, uh, you know, what they're doing, you know, to me that's like newfangled thingamajig.
But, um, it, it, I, I tend to, some, depending on the cracker, what they're doing, I, I tend to lump them in with a script kitty, which is, uh, nine-tenths of all the crackers out there are script kitties.
They get on bug track, they look for the newest exploit on what server, and then they exploit that server to deface.
And, you know, is that impressive?
No.
Not really.
I don't find, I, I don't find, I find defacements to be pretty boring, pretty tedious, and silly, and unless it's really, really well done, uh, the New York Times, that was, that was great.
That was funny.
I sent the, the New York Times hack about three years ago.
You can find it.
It's, there's still one.
That, that was, uh, that was hacking for girlies.
And they, uh, if you jump on attrition, you can find it in the, uh, the archive.
Um.
That was beautiful because they cleaned it out.
The New York Times completely stripped it.
And a couple hours later, it's defaced again.
It took them a better part of a week to track down every little place that they hid the cron jobs and the code and got in and really just, just blew it open.
So that was, that was actually pretty good versus going in and, and, uh, nailing an IIS server.
And the humorous thing is if you look at some, if you go and look at attrition, you can kind of start painting a picture of these defacements.
And you look at when they hit.
And you'll see some group will suddenly this day did 28 defacements.
And you go and look at the details of it.
Every defacement was on the same type of server using the same exploit at the same time uploading the same page.
Bang, bang, bang.
That's a script.
And what they did was they had a little script.
They went, launch.
And they went, look what I did.
I didn't do shit.
They sat and they, they changed a few variables and said launch.
And it went out and started going through hitting systems saying, what are you?
No, what are you?
What are, you're that?
Oh, I'm going to exploit you.
Who are you?
Who are you?
And that's all it is.
They just, it's kind of like, it's pretty similar to running a, uh, it's like port scanning except they're ports.
They're hitting multiple websites looking to see what server they run and exploit it.
So I, I, it's not impressive.
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laughed a lot um so their solution was to put up a second firewall we'll put up another firewall
we'll be even more protected i kid you not two firewalls does not mean twice as twice as secure
two firewalls means you you've got you're paying admins who don't know jack and shit and they're
just spending more money because they don't know what they're doing and they just think
well firewall will protect me firewall is only as good as the guy who set it up firewall is only
going to be as good as the guy who who wrote the port blocks and if you're if you're even if you're
running a unix system if you've got windows machines on the backside of it and you're not
blocking ports 137 through 139 uh barred from the outside world that is the biggest hole in the world
and it's in every version of windows even the new ones every one of them and if you've got 137 and
139 open you can you might as well just bend over and spread them because anybody can come flying in
with us with a
shares exploit so that's the that um in fact here here's here's my tip i tell everybody uh the two
things you can do if you are running windows on your home computer to make yourself almost
fairly secure as your first line of defense is number one um you know type it right now go into
let's see all right let's go you want to go into uh
go in here all right delete this file
destroy it devastate it kill it make it go away and as a and if you want you can even go in and uh
remove uh the file associations to uh to both of there's two points to dot there's one to dot vbs
and one to something else if you delete that you will protect yourself and probably 99 percent of
the email viruses floating around the network today
um
the the part this is this is the window scripting host and it has one purpose to run visual basic
scripts on your system and i'd say 99.9 of all people running windows do not run vbs scripts
that's that simple yet the default for all windows installations is to incorporate this into windows
um the for anyone that knows pearl and unix systems
this is the same equivalent as giving root access to pearl programs running under any user
okay you should be laughing at that point um that is exactly what that program does you can tell it
to wipe out c and then when you're wiping out c you can also tell it by the way uh hide the
dialogue boxes and don't and make itself run completely silent that is how the i love you
virus runs that's how all these other ones are doing it they run through that thing there if you
destroy that you will protect yourself and number two
like i was saying before uh run any kind of personal firewall public or whatever and block
ports 137 and 139 from outside access on your system easiest way is if you're running a dsl or
a dial-up um designate that land card or what or whatever or if you're not running a home network
then just block it because it's not needed and that will block you from the um shares exploit
which is you know wide open
by default on windows so between those two you you're not a hundred percent at that point but
you're a whole lot better than you were two minutes before um yeah
i'm talking about the windows networking sharing uh it's essentially kind of like a file share
system that you uh you you probe you probe on 137 and then you talk on 139 yeah but you can go
into anyone's system effectively and and
by remote turn it on access their printers um when we first were playing with this some guy
argued oh you can't do that so we dropped the windows help file to his printer every page
made a believer out of them
all right louder
yeah yeah yeah
uh there's quite a few of them if you want to pay you can use secure crt which is pretty slick
there's also several public domain ones you can download uh if you go to like google or
something or even files.com or whatever just uh look for just put in windows uh ssh client
and you should get quite a few returns
yeah yeah yeah
um
probably uh start with uh you can always go to loft loft has got some of their stuff they
done loft crack and whatnot loft crack's a nice one if you're admitting a box to run on your uh
run against user user account passwords to uh kind of do a quick quick quick hit to make sure
they're not using stupid dictionary ones it's it's somewhere to run your
dictionary one but lock crack you can also run deep crack and do a hard
penetrate but there's stuff like that um numerous resources um i don't have one off hand uh like i
said you throw in google and just type in you know hack um hacking tools and you'll probably
get at least three or four hundred thousand returns um try to stick to ones that look that uh
that have fairly good references on their site referencing back to say like you know um not just
saying, hi, we like CDC, or hi, we like Loft, but tied into maybe, I'm trying to think offhand,
places like slash.org. If they send you to a tool site, it just probably will warm you up and up
versus somebody who's backdoored all their tools, which is a big thing you got to look out for that,
you know, someone distributing it, ScriptKitties can easily backdoor all the tools and put them up.
Even things like secure CRT, you know, you could have downloaded secure CRT from somebody
and running it, and little do you know that there's actually hidden inside the actual EXE file
is a little keylogger that will once a day send out a short little burst back to their system,
letting you know everything you've ever typed. So, anyway, okay, it's one, and someone else is about
to come on deck, so I'm going to wrap it up. I'm gooning, and I'm around.
If you want to know anything, come up and ask me. I'm, you know, I'm always around.
